Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Security Checklist: .NET Framework 2.0

 
Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

patterns & practices Developer Center

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Chaitanya Bijwe

Microsoft Corporation

November 2005

Applies To

  • .NET Framework version 2.0

Summary

This checklist presents a set of consolidated security guidelines for .NET Framework version 2.0 applications. The answers and recommendations presented in this module are designed to supplement the companion modules and additional guidance. The guidelines are organized by various categories that represent those areas where mistakes are most often made.

Contents

How To Use This Module
Assembly Design Considerations
Class Design Considerations
Strong Names
APTCA
Exception Management
File I/O
Registry
Communication Security
Event Log
Data Access
Delegates
Serialization
Threading
Reflection
Obfuscation
Cryptography
Sensitive Data
Unmanaged Code
Companion Guidance

How to Use This Module

This checklist is a companion to Security Guidelines: .NET Framework 2.0. Use "Security Guidelines: .NET Framework 2.0" to learn about the .NET Framework 2.0 guidelines and to learn what you should do, why you should do it, and how you can implement each guideline. Use this checklist as you develop your managed code.

You should expand and evolve this security checklist by adding managed code practices that you discover during software development.

Assembly Design Considerations

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifTarget trust environment is identified. Permissions available to partial trust code and APIs that require additional permissions are identified.
Ff649200.z02bthcm01(en-us,PandP.10).gifDesign exposes a minimal number of public interfaces to limit the assembly's attack surface.

Class Design Considerations

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifTo reduce visibility, classes and members use the most restrictive access modifier possible.
Ff649200.z02bthcm01(en-us,PandP.10).gifBase classes that are not intended to be derived from are sealed.
Ff649200.z02bthcm01(en-us,PandP.10).gifStrong naming or code access security is used to restrict code access.
Ff649200.z02bthcm01(en-us,PandP.10).gifInput is not trusted. Input is validated for type, range, format and length.
Ff649200.z02bthcm01(en-us,PandP.10).gifFields are private. Properties are used to expose fields.
Ff649200.z02bthcm01(en-us,PandP.10).gifProperties are read-only unless write access is specifically required.
Ff649200.z02bthcm01(en-us,PandP.10).gifWhere appropriate, private default constructors are used to prevent object instantiation.
Ff649200.z02bthcm01(en-us,PandP.10).gifStatic constructors are private.

Strong Names

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifIf required, strong names are used
Ff649200.z02bthcm01(en-us,PandP.10).gifStrong names are not relied upon to create tamper-proof assemblies.
Ff649200.z02bthcm01(en-us,PandP.10).gifDelay signing is used to reduce the chance of private key compromise or to enable the use of a single public key across a team.
Ff649200.z02bthcm01(en-us,PandP.10).gifIn full trust scenarios, StrongNameIdentityPermission is not relied upon to restrict code that can call the assembly.

APTCA

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifExcept where necessary, APTCA usage is avoided.
Ff649200.z02bthcm01(en-us,PandP.10).gifAssemblies marked with APTCA are subjected to thorough security code review.
Ff649200.z02bthcm01(en-us,PandP.10).gifSecurityTransparent and SecurityCritical attributes are used appropriately.

Exception Management

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifStructured exception handling is used instead of returning error codes.
Ff649200.z02bthcm01(en-us,PandP.10).gifSensitive data is not logged.
Ff649200.z02bthcm01(en-us,PandP.10).gifSystem or sensitive application information is not revealed. Only generic error messages are returned to the end user.
Ff649200.z02bthcm01(en-us,PandP.10).gifCode is not subject to exception filter issues where the filter higher in the call stack executes before code in a finally block.
Ff649200.z02bthcm01(en-us,PandP.10).gifWhere appropriate, an exception management system is used.
Ff649200.z02bthcm01(en-us,PandP.10).gifCode fails early to avoid unnecessary processing.

File I/O

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifCode avoids untrusted input for file names and file paths.
Ff649200.z02bthcm01(en-us,PandP.10).gifIf file names must be accepted through input, the names and locations are first validated.
Ff649200.z02bthcm01(en-us,PandP.10).gifSecurity decisions are not based on user-supplied file names.
Ff649200.z02bthcm01(en-us,PandP.10).gifWhere possible, absolute file paths are used.
Ff649200.z02bthcm01(en-us,PandP.10).gifWhere appropriate, file I/O is constrained within the application's context.

Registry

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifSensitive data stored in HKEY_LOCAL_MACHINE is protected by ACLs.
Ff649200.z02bthcm01(en-us,PandP.10).gifSensitive data in the registry is encrypted.

Communication Security

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifTransport-level encryption is used to protect secrets over the network. IPSec is used to protect the communication channel between two servers, and SSL is used for more granular channel protection for an application.
Ff649200.z02bthcm01(en-us,PandP.10).gifWhere appropriate, the System.Net.Security.NegotiateStream class is used for a TCP channel with .NET remoting.

Event Log

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifSensitive data is not logged in the event log.
Ff649200.z02bthcm01(en-us,PandP.10).gifEvent log data is not exposed to unauthorized users.

Data Access

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifConnection strings are not hard coded. Connection strings are stored in configuration files.
Ff649200.z02bthcm01(en-us,PandP.10).gifConnection strings are encrypted if they contain credentials.
Ff649200.z02bthcm01(en-us,PandP.10).gifTo prevent SQL injection, input is validated and parameterized stored procedures are used.

Delegates

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifDelegates are not accepted from untrusted sources.
Ff649200.z02bthcm01(en-us,PandP.10).gifWhere appropriate, permissions to the delegate are restricted.
Ff649200.z02bthcm01(en-us,PandP.10).gifPermissions are not asserted before delegate is called.

Serialization

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifThe ISerializable interface or the NonSerialized attribute are used to control serialization of sensitive data.
Ff649200.z02bthcm01(en-us,PandP.10).gifSerialized data streams are validated when they are deserialized.

Threading

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifMultithreaded code does not cache the results of security checks.
Ff649200.z02bthcm01(en-us,PandP.10).gifImpersonation tokens are not lost; they flow to the newly created thread.
Ff649200.z02bthcm01(en-us,PandP.10).gifStatic class constructors are synchronized.
Ff649200.z02bthcm01(en-us,PandP.10).gifDispose methods are synchronized.

Reflection

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifFull assembly names are used when Activator.CreateInstance loads add-ins.
Ff649200.z02bthcm01(en-us,PandP.10).gifSeparate, low-trust application domains are used for assemblies created with user input.
Ff649200.z02bthcm01(en-us,PandP.10).gifAssemblies are not loaded dynamically based on user input for assembly or type names.
Ff649200.z02bthcm01(en-us,PandP.10).gifUntrusted code does not use Reflection.Emit to create dynamic assemblies.
Ff649200.z02bthcm01(en-us,PandP.10).gifUnless required, dynamic assemblies created by Reflection.Emit are not persisted.
Ff649200.z02bthcm01(en-us,PandP.10).gifAssembly.ReflectionOnlyLoadFrom is used only if you need to inspect code.

Obfuscation

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifSecrets are not stored in code.
Ff649200.z02bthcm01(en-us,PandP.10).gifWhere appropriate, obfuscation is used to make intellectual property theft more difficult.

Cryptography

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifPlatform-provided cryptographic services are used. Custom cryptography algorithms are not used.
Ff649200.z02bthcm01(en-us,PandP.10).gifAppropriate key sizes are used.
Ff649200.z02bthcm01(en-us,PandP.10).gifGenerateKey is used to generate random keys for a managed symmetric cryptographic class.
Ff649200.z02bthcm01(en-us,PandP.10).gifWhere appropriate, DPAPI is used to protect secrets and to reduce or eliminate key management.
Ff649200.z02bthcm01(en-us,PandP.10).gifPasswordDeriveBytes is used for password-based encryption.
Ff649200.z02bthcm01(en-us,PandP.10).gifKeys are not stored in code.
Ff649200.z02bthcm01(en-us,PandP.10).gifAccess to persisted keys is restricted (for example with ACLs).
Ff649200.z02bthcm01(en-us,PandP.10).gifKeys are cycled periodically.
Ff649200.z02bthcm01(en-us,PandP.10).gifExported private keys are protected.

Sensitive Data

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifWhere appropriate, SecureString is used rather than System.String.
Ff649200.z02bthcm01(en-us,PandP.10).gifSecrets are held in memory for only a limited time.
Ff649200.z02bthcm01(en-us,PandP.10).gifProtected configuration is used to protect sensitive data and secrets in configuration files.

Unmanaged Code

CheckDescription
Ff649200.z02bthcm01(en-us,PandP.10).gifNaming conventions are used (safe, native, unsafe) to identify unmanaged APIs.
Ff649200.z02bthcm01(en-us,PandP.10).gifUnmanaged API calls are isolated in a wrapper assembly.
Ff649200.z02bthcm01(en-us,PandP.10).gifString parameters that are passed to native code are constrained and validated to reduce the risk of buffer overrun, integer overflow, and other vulnerabilities.
Ff649200.z02bthcm01(en-us,PandP.10).gifArray bounds are validated when an array is used to pass input to a native API.
Ff649200.z02bthcm01(en-us,PandP.10).gifFile path lengths are checked when a file name and path are passed to an unmanaged API.
Ff649200.z02bthcm01(en-us,PandP.10).gifUnmanaged code is compiled with the /GS switch to enable stack probes.
Ff649200.z02bthcm01(en-us,PandP.10).gifUnmanaged code is inspected for potentially dangerous APIs.
Ff649200.z02bthcm01(en-us,PandP.10).gifUnmanaged types or handles are not exposed to partially trusted code.
Ff649200.z02bthcm01(en-us,PandP.10).gifThe SuppressUnmanagedCode attribute is used only if assembly takes precautions to ensure that malicious code cannot coerce it into performing unwanted operations.
Ff649200.z02bthcm01(en-us,PandP.10).gifPointers are held in private fields to prevent access violation or attempt to dereference them to gain access to sensitive information.

Companion Guidance

Security Guidelines: .NET Framework 2.0

Feedback

Provide feedback by using either a Wiki or e-mail:

We are particularly interested in feedback regarding the following:

  • Technical issues specific to recommendations
  • Usefulness and usability issues

Technical Support

Technical support for the Microsoft products and technologies referenced in this guidance is provided by Microsoft Support Services. For product support information, please visit the Microsoft Product Support Web site at http://support.microsoft.com.

Community and Newsgroups

Community support is provided in the forums and newsgroups:

To get the most benefit, find the newsgroup that corresponds to your technology or problem. For example, if you have a problem with ASP.NET security features, you would use the ASP.NET Security forum.

Contributors and Reviewers

  • External Contributors and Reviewers: Anil John, Johns Hopkins University–Applied Physics Laboratory; Frank Heidt; Jason Taylor, Security Innovation
  • Microsoft Product Group: Don Willits, Pablo Castro, Stefan Schackow
  • Microsoft IT Contributors and Reviewers: Akshay Aggarwal, Shawn Veney, Talhah Mir
  • Microsoft Services and PSS Contributors and Reviewers: Adam Semel, Tom Christian, Wade Mascia
  • Microsoft patterns & practices Contributors and Reviewers: Carlos Farre
  • Test team: Larry Brader, Microsoft Corporation; Nadupalli Venkata Surya Sateesh, Sivanthapatham Shanmugasundaram, Infosys Technologies Ltd.
  • Edit team: Nelly Delgado, Microsoft Corporation
  • Release Management: Sanjeev Garg, Microsoft Corporation

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.